Building a Secure Windows Workstation

Published on November 24, 2007 By EHolman In Windows Software

Like everyone who has used Windows, I'm very frustrated with Windows virus/adware/spyware treadmill, and the associated threat to privacy, drain on computing resources, and overall detriment to the computing experience. I have used, to my loathing, various AV products, and suffered through their signature updates, version upgrade requests and most significantly, their substantial drain on hardware performance.

I'm also very frustrated with every-piece-of-software-needing-updates-from-the-internet trend. Why can't I dictate how and when my software gets updated?

Why can't there be a simple way to do away with these threats? To make Windows bring peace-of-mind after each use, rather than the worry of "What's infected my computer now"? And restore the powerful zippy computing experience of a new computer?

I have built a solution which brings me this kind of peace of mind:

1. My main workstation, let's call it WS-MAIN, stores all of my data (except for email). This machine is not connected to the internet, due to a firewall rule I placed in my router. This machine has a clean build of Windows with all the software I use for programming, web development, etc. This machine has no virus scan, malware detector or the like installed. I enjoy a fast, clean computing experience.

With no connection to the internet, I no longer have concerns about what a browser might bring down. Nor do I have concerns about hidden flaws in Windows that would allow an internet probe to gain access. Nor do I have to worry about automatic software updates (Windows or otherwise) upsetting my carefully built apple cart.

2. My second workstation, let's call it WS-INT, is connected to the internet. This box is actually an old machine with modest hardware. This machine contains the browser (Firefox) and email client I use. This machine also uses a restore-on-reboot utility (Horizon DataSys Drive Vaccine PC Restore Plus). With this utility, Windows is restored to a pristine condition after every reboot. Therefore any nasties that might come down over the internet are wiped out after each reboot.

To keep bookmarks from being wiped out, I use Google browser sync in Firefox. So any new bookmarks are always restored. I keep my email on a second internal hard drive, which is not protected by Drive Vaccine. This is a small security hole, but I have ideas on how I will keep this drive scanned for viruses.

So, at WS-MAIN I have three monitors (one 24" in the middle, two 17"s on each side), and I use Window's Remote Desktop Connection to view WS-INT. I have a terrific workstation environment that allows me to surf the 'net with fast, infection free hardware. RDC allows me to copy and paste data and files sufficiently from WS-INT to provide a seamless experience. And I have the peace of mind knowing my data and hardware are secure.

How about you? Do you have any power schemes which you've found to improve your computing experience?

EHolman

Comments

Ranger375

on Nov 24, 2007

This machine is not connected to the internet, due to a firewall rule I placed in my router.

Uh...if it is connected to a router or even a network that is connected to a router - firewall or not - it is vulnerable.

Lets just say I made a living at one time doing things that would prove my point here.

EHolman

on Nov 24, 2007

Thanks Ranger375, I'm looking for insights just like yours. I'm also interested in a hardware based disconnect switch, which I could use to physically disconnect from the router when I don't need network/internet access. At least with my configuration, I don't have to worry about any threats I would bring on myself.

When the machine is disconnected from the router, it's not vulnerable, right? And when it's powered off, it's not vulnerable, right?

Ranger375

on Nov 24, 2007

That is right - if you are looking for true security from an outside threat a hardware switch will do it!

I don't want to make you feel as if nothing you can do will work - I will just add though - remember - the exposed computer can hold a virus that will launch as soon as it sees a new network connection - such as when you flip the switch on the secured computer. We called these "sleepers" and they just sat around waiting for a new connection.

Having said all this - what are the chances that someone with the skills to break through a defense-in-depth security structure are going to target you? Very slim actually.

You are taking very extensive steps that I am sure connected to a router or not will be effective.

The most effective security structures out there are designed by the Israeli's they use very sophisticated "sandboxes and honey pots" that beg any attack to come to them. They then use markers or tags to track back to the attack and do all kinds of nasty things.

You would find all of this very interesting with what you are working on. The problem is - there is very little information on systems such as these.

EHolman

on Nov 24, 2007

Very cool feedback, thanks Ranger375. I'd like to find more information on these types of tricks, but as you say there is little published information.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!